[Koha] Issue logging into staff interface [Plack log complains about missing encryption key]

David Nind david at davidnind.com
Sat Nov 11 11:23:02 NZDT 2023

Hi Martin

This is what I tried, not sure whether this helps or not.... as it is not
something I know a great deal about.

Using the koha-testing-docker (or KTD, the environment used for testing by
many in the Koha Community), I set an encryption key, enabled the
two-factor authentication system preference, then set up 2FA for a patron -
could log in OK (used Aegis as my authenticator app).

If I changed the encryption key, then restarted everything, I can no longer
log in - the code I enter from the App doesn't work, and I get an error

Error decoding what should be base32 data: ��gHZxr �ZCP���*9i �� at
/kohadevbox/koha/C4/Auth.pm line 886.
 at /usr/lib/x86_64-linux-gnu/perl-base/Carp.pm line 289

So, maybe changing the encryption key is a bad thing with 2FA already
enabled is?

A relatively recent change in behavour (added in 23.05.01, 22.11.07) was
made by bug 33934 (
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33934), which
doesn't allow the use of __ENCRYPTION_KEY__ - it needs to be something else
other than this.

Maybe this is an unintended consequence of that change? I'll let others
comment on that if that is the case.

To resolve the issue, I changed the user in the database - I could then log
in again (I'm not sure whether this is the right way, but it worked for me):
update borrowers set auth_method="password" where borrowernumber="XXXX";

I'm not really sure how this should be managed - that is, if you change
your encryption key, then all your patrons with two-factor authentication
set up won't be able to log in.

David Nind
New Zealand

More information about the Koha mailing list